The Problem 
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SIGINT is very good at 2 things: 

1. Establishing lists of potential leads (50-10k+) 

2. M anual analysis to vet individual targets 
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Input 
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Tradecraft 



A common model for identifier lead lists, today: 
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Bulk enrichment of 
'SIGINT business knowledge' 



Manual analysis 
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Triage Today 



After initial enrichment checks, the analyst is often 
left with too many identifiers of "possible interest" 
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Percentages are conceptual 
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Bulk Lead Triage via Behavior Analytics 




• Hundreds or thousands of selectors to go through high level vetting very quickly 

• Better triage prioritization allows for highly adjustable thresholds to be set for 
follow -on analysis 

• Compliance can be inserted at both the "batch result" and "query" level 

• Potentially utilize multiple clouds & cross-enterprise analytics 
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Identifier 'SIGINT Business' Enrichment 



Bulk gathering, via Identifier Scoreboard (phase 2/phase 3) 
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Tes/No' Identifier Behavior 



Bulk triage, via SIGINT Analytics M ode (start of phase 4) 
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SIGINTAnalyticsMode 



T riage by aggregate behaviors 
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One column per ‘yes/no’ question 

Quickly zero in on worthy leads 
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SIGINT Analytics M ode - Detailed View 
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SIGINT Analytics M ode - Detailed View 




Had direct communications with a targeted identifier? 

First h«ar<$: ?0l?-Fiar-0! 2 Last haard: 20l2-Mar-0$ 07^SS;4C 2 

Date V D^scnptnn 

I li? ct'd ema^l H 



2012 Mar OS 07 :SS :40 Z 



3012 Mar 04 05:SS:46 7 



2012-Mar-02 Z 



2012 Maf 01 0 ®;SS :42 I 






was bec'd on email from 



1 0 received emait ^rom 



Source 



uui D 

SIG AO; PDOG : 

Case 

Legal authority category: E012233 



UUI D r 

Sie AD/ PDOG : D5-200A/ C4 

Case rotation 

Legal authority category: E012332 



UUI D i 

SiGAO/PDDGt pS-200P / C4 

Case rotatlorkil 
Legal authority category^ £012233 




UUl D 

SIG AO/PDOG t US- 31 21 /Ta 
Case n^l^kofiil 

Legal ^horlty category: E012333 






If y 




Go view target knowledge Go view content Add new knowledge 



External links to guide next steps in analysis 
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ECHOBASE Analytics Architecture 



Initial set of analytic questions 

• Most running within GHOSTMACHINE framework 
• Limited contributors 
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GHOSTMACHINE Analytic Engine provides 

• QFD hosting of analytic results 

• RESTful query interface 



Future analytics 

• multiple organizations/ 
frameworks 
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2012 Olympics Sharing 
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2012 Olympics Support 



• NSA SID Leads Evaluation Cell 




• Triage of Olympics-based leads through the event 

• Leverage both NSA and GCHQ-produced analytics 



• Greater SID-wide usage following the Olympic period 
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Contact/Information 




- Briefers: 




- ECHOBASE Alias: 
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